Librería Portfolio Librería Portfolio

Búsqueda avanzada


0 productos

en total 0,00 €

Año de edición:
62,50 € -10,0% 56,25 €



CCNP Security SISAS 300-208 Official Cert Guide

CCNP Security SISAS 300-208 Official Cert Guide from Cisco Press enables you to succeed on the exam the first time and is the only self-study resource approved by Cisco. Cisco security experts Aaron Woland and Kevin Redmon share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.

This complete study package includes

A test-preparation routine proven to help you pass the exam
"Do I Know This Already?ö quizzes, which enable you to decide how much time you need to spend on each section
The powerful Pearson IT Certification Practice Testsoftware, complete with hundreds of well-reviewed, exam-realistic questions, customization options, and detailed performance reports
A final preparation chapter, which guides you through tools and resources to help you craft your review and test-taking strategies
Study plan suggestions and templates to help you organize and optimize your study time
Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, video instruction, and hands-on labs, this official study guide helps you master the concepts and techniques that ensure your exam success.

Aaron T. Woland, CCIE No. 20113, is a Principal Engineer and works with the largest Cisco customers all over the world. His primary job responsibilities include Secure Access and Identity deployments with ISE, solution enhancements, standards development, and futures. Aaron is the author of Cisco ISE for BYOD and Secure Unified Access (Cisco Press) and many published white papers and design guides. He is one of the first six members of the Hall of Fame for Distinguished Speakers at Cisco Live, and is a security columnist for Network World, where he blogs on all things related to Identity.

Kevin Redmon is a Systems Test Engineer with the Cisco IoT Vertical Solutions Group, specializing in all things security. Previously with the Cisco Systems Development Unit, Kevin supported several iterations of the Cisco Validated Design Guide for BYOD and is the author of Cisco Bring Your Own Device (BYOD) Networking Live Lessons (Cisco Press). Since joining Cisco in October 2000, he has worked closely with several Cisco design organizations, and as Firewall/VPN Customer Support Engineer with the Cisco Technical Assistance Center (TAC). He holds several Cisco certifications and has an issued patent with the U.S. Patent and Trademark Office.

The official study guide helps you master topics on the CCNP Security SISAS 300-208 exam, including the following:

Identity management/secure access
Threat defense
Troubleshooting, monitoring and reporting tools
Threat defense architectures
Identity management architectures
The CD contains 150 practice questions for the exam and a study planner tool.


Introduction xxxi

Part I The CCNP Certification

Chapter 1 CCNP Security Certification 3

CCNP Security Certification Overview 3

Contents of the CCNP-Security SISAS Exam 4

How to Take the SISAS Exam 5

Who Should Take This Exam and Read This Book? 6

Format of the CCNP-Security SISAS Exam 9

CCNP-Security SISAS 300-208 Official Certification Guide 10

Book Features and Exam Preparation Methods 13

Part II "The Triple Aö (Authentication, Authorization, and Accounting)

Chapter 2 Fundamentals of AAA 17

"Do I Know This Already?ö Quiz 18

Foundation Topics 21

Triple-A 21

Compare and Select AAA Options 21

Device Administration 21

Network Access 22


TACACS+ Authentication Messages 25

TACACS+ Authorization and Accounting Messages 26


AV-Pairs 31

Change of Authorization 31

Comparing RADIUS and TACACS+ 32

Exam Preparation Tasks 33

Review All Key Topics 33

Define Key Terms 33

Chapter 3 Identity Management 35

"Do I Know This Already?ö Quiz 35

Foundation Topics 38

What Is an Identity? 38

Identity Stores 38

Internal Identity Stores 39

External Identity Stores 41

Active Directory 42


Two-Factor Authentication 43

One-Time Password Services 44

Smart Cards 45

Certificate Authorities 46

Has the Certificate Expired? 47

Has the Certificate Been Revoked? 48

Exam Preparation Tasks 51

Review All Key Topics 51

Define Key Terms 51

Chapter 4 EAP Over LAN (Also Known As 802.1X) 53

"Do I Know This Already?ö Quiz 53

Foundation Topics 56

Extensible Authentication Protocol 56

EAP over LAN (802.1X) 56

EAP Types 58

Native EAP Types (Nontunneled EAP) 58

Tunneled EAP Types 59

Summary of EAP Authentication Types 62

EAP Authentication Type Identity Store Comparison Chart 62

Network Access Devices 63

Supplicant Options 63

Windows Native Supplicant 64

Cisco AnyConnect NAM Supplicant 75

EAP Chaining 89

Exam Preparation Tasks 90

Review All Key Topics 90

Define Key Terms 90

Chapter 5 Non-802.1X Authentications 93

"Do I Know This Already?ö Quiz 93

Foundation Topics 97

Devices Without a Supplicant 97

MAC Authentication Bypass 98

Web Authentication 100

Local Web Authentication 101

Local Web Authentication with a Centralized Portal 102

Centralized Web Authentication 104

Remote Access Connections 106

Exam Preparation Tasks 107

Review All Key Topics 107

Define Key Terms 107

Chapter 6 Introduction to Advanced Concepts 109

"Do I Know This Already?ö Quiz 109

Foundation Topics 113

Change of Authorization 113

Automating MAC Authentication Bypass 113

Posture Assessments 117

Mobile Device Managers 118

Exam Preparation Tasks 120

Review All Key Topics 120

Define Key Terms 120

Part III Cisco Identity Services Engine

Chapter 7 Cisco Identity Services Engine Architecture 123

"Do I Know This Already?ö Quiz 123

Foundation Topics 127

What Is Cisco ISE? 127

Personas 129

Administration Node 129

Policy Service Node 129

Monitoring and Troubleshooting Node 130

Inline Posture Node 130

Physical or Virtual Appliance 131

ISE Deployment Scenarios 133

Single-Node Deployment 133

Two-Node Deployment 135

Four-Node Deployment 136

Fully Distributed Deployment 137

Communication Between Nodes 138

Exam Preparation Tasks 148

Review All Key Topics 148

Define Key Terms 148

Chapter 8 A Guided Tour of the Cisco ISE Graphical User Interface 151

"Do I Know This Already?ö Quiz 151

Foundation Topics 155

Logging In to ISE 155

Initial Login 155

Administration Dashboard 161

Administration Home Page 162

Server Information 162

Setup Assistant 163

Help 163

Organization of the ISE GUI 164

Operations 165

Authentications 165

Reports 169

Endpoint Protection Service 170

Troubleshoot 171

Policy 173

Authentication 173

Authorization 173

Profiling 174

Posture 175

Client Provisioning 175

Security Group Access 176

Policy Elements 177

Administration 178

System 178

Identity Management 183

Network Resources 186

Web Portal Management 189

Feed Service 191

Type of Policies in ISE 192

Authentication 192

Authorization 193

Profiling 193

Posture 193

Client Provisioning 193

Security Group Access 193

Exam Preparation Tasks 195

Review All Key Topics 195

Define Key Terms 195

Chapter 9 Initial Configuration of Cisco ISE 197

"Do I Know This Already?ö Quiz 197

Foundation Topics 201

Cisco Identity Services Engine Form Factors 201

Bootstrapping Cisco ISE 201

Where Are Certificates Used with the Cisco Identity Services Engine? 204

Self-Signed Certificates 206

CA-Signed Certificates 206

Network Devices 216

Network Device Groups 216

Network Access Devices 217

Local User Identity Groups 218

Local Endpoint Groups 219

Local Users 220

External Identity Stores 220

Active Directory 221

Prerequisites for Joining an Active Directory Domain 221

Joining an Active Directory Domain 222

Certificate Authentication Profile 226

Identity Source Sequences 227

Exam Preparation Tasks 230

Review All Key Topics 230

Chapter 10 Authentication Policies 233

"Do I Know This Already?ö Quiz 233

Foundation Topics 237

The Relationship Between Authentication and Authorization 237

Authentication Policy 237

Goals of an Authentication Policy 238

Goal 1-Accept Only Allowed Protocols 238

Goal 2-Select the Correct Identity Store 238

Goal 3-Validate the Identity 239

Goal 4-Pass the Request to the Authorization Policy 239

Understanding Authentication Policies 239

Conditions 241

Allowed Protocols 243

Extensible Authentication Protocol Types 245

Tunneled EAP Types 245

Identity Store 247

Options 247

Common Authentication Policy Examples 248

Using the Wireless SSID 248

Remote Access VPN 251

Alternative ID Stores Based on EAP Type 253

More on MAB 255

Restore the Authentication Policy 257

Exam Preparation Tasks 258

Review All Key Topics 258

Chapter 11 Authorization Policies 261

"Do I Know This Already?ö Quiz 261

Foundation Topics 265

Authentication Versus Authorization 265

Authorization Policies 265

Goals of Authorization Policies 265

Understanding Authorization Policies 266

Role-specific Authorization Rules 271

Authorization Policy Example 272

Employee Full Access Rule 272

Internet Only for Smart Devices 274

Employee Limited Access Rule 277

Saving Conditions for Reuse 279

Combining AND with OR Operators 281

Exam Preparation Tasks 287

Review All Key Topics 287

Define Key Terms 287

Part IV Implementing Secure Network Access

Chapter 12 Implement Wired and Wireless Authentication 289

"Do I Know This Already?ö Quiz 290

Foundation Topics 293

Authentication Configuration on Wired Switches 293

Global Configuration AAA Commands 293

Global Configuration RADIUS Commands 294

IOS 12.2.X 294

IOS 15.X 295

Both IOS 12.2.X and 15.X 296

Global 802.1X Commands 297

Creating Local Access Control Lists 297

Interface Configuration Settings for All Cisco Switches 298

Configuring Interfaces as Switchports 299

Configuring Flexible Authentication and High Availability 299

Host Mode of the Switchport 302

Configuring Authentication Settings 303

Configuring Authentication Timers 305

Applying the Initial ACL to the Port and Enabling Authentication 305

Authentication Configuration on WLCs 306

Configuring the AAA Servers 306

Adding the RADIUS Authentication Servers 306

Adding the RADIUS Accounting Servers 308

Configuring RADIUS Fallback (High-Availability) 309

Configuring the Airespace ACLs 310

Creating the Web Authentication Redirection ACL 310

Creating the Posture Agent Redirection ACL 313

Creating the Dynamic Interfaces for the Client VLANs 315

Creating the Guest Dynamic Interface 317

Creating the Wireless LANs 318

Creating the Guest WLAN 319

Creating the Corporate SSID 324

Verifying Dot1X and MAB 329

Endpoint Supplicant Verification 329

Network Access Device Verification 329

Verifying Authentications with Cisco Switches 329

Sending Syslog to ISE 332

Verifying Authentications with Cisco WLCs 334

Cisco ISE Verification 336

Live Authentications Log 336

Live Sessions Log 337

Looking Forward 338

Exam Preparation Tasks 339

Review All Key Topics 339

Define Key Terms 339

Chapter 13 Web Authentication 341

"Do I Know This Already?ö Quiz 341

Foundation Topics 345

Web Authentication Scenarios 345

Local Web Authentication 346

Centralized Web Authentication 346

Device Registration WebAuth 349

Configuring Centralized Web Authentication 350

Cisco Switch Configuration 350

Configuring Certificates on the Switch 350

Enabling the Switch HTTP/HTTPS Server 350

Verifying the URL-Redirection ACL 351

Cisco WLC Configuration 352

Validating That MAC Filtering Is Enabled on the WLAN 352

Validating That Radius NAC Is Enabled on the WLAN 352

Validate That the URL-Redirection ACL Is Configured 353

Captive Portal Bypass 354

Configuring ISE for Centralized Web Authentication 355

Configuring MAB for the Authentication 355

Configuring the Web Authentication Identity Source Sequence 356

Configuring a dACL for Pre-WebAuth Authorization 357

Configuring an Authorization Profile 359

Building CWA Authorization Policies 360

Creating the Rule to Redirect to CWA 360

Creating the Rules to Authorize Users Who Authenticate via CWA 361

Creating the Guest Rule 361

Creating the Employee Rule 362

Configuring Device Registration Web Authentication 363

Creating the Endpoint Identity Group 363

Creating the DRW Portal 364

Creating the Authorization Profile 365

Creating the Rule to Redirect to DRW 367

Creating the Rule to Authorize DRW-Registered Endpoints 368

Verifying Centralized Web Authentication 369

Checking the Experience from the Client 369

Checking on ISE 372

Checking the Live Log 372

Checking the Endpoint Identity Group 373

Checking the NAD 374

show Commands on the Wired Switch 374

Viewing the Client Details on the WLC 375

Exam Preparation Tasks 377

Review All Key Topics 377

Chapter 14 Deploying Guest Services 379

"Do I Know This Already?ö Quiz 379

Foundation Topics 383

Guest Services Overview 383

Guest Services and WebAuth 383

Portal Types 384

Configuring the Web Portal Settings 389

Port Numbers 390

Interfaces 391

Friendly Names 391

Configuring the Sponsor Portal Policies 392

Sponsor Types 393

Mapping Groups 396

Guest User Types 398

Managing Guest Portals 398

Portal Types 399

Building Guest Authorization Policies 400

Provisioning Guest Accounts from a Sponsor Portal 416

Individual 416

Random 417

Import 418

Verifying Guest Access on the WLC/Switch 419

WLC 419

Exam Preparation Tasks 439

Review All Key Topics 439

Define Key Terms 439

Chapter 15 Profiling 441

"Do I Know This Already?ö Quiz 441

Foundation Topics 445

ISE Profiler 445

Cisco ISE Probes 447

Probe Configuration 447



Network Scan 453

DNS 454



HTTP Probe 457

HTTP Profiling Without Probes 459

Infrastructure Configuration 459

DHCP Helper 459

SPAN Configuration 460

VLAN Access Control Lists 461

Device Sensor 462

VMware Configurations to Allow Promiscuous Mode 463

Profiling Policies 464

Profiler Feed Service 464

Configuring the Profiler Feed Service 465

Verifying the Profiler Feed Service 465

Endpoint Profile Policies 467

Logical Profiles 478

ISE Profiler and CoA 478

Global CoA 479

Per-profile CoA 480

Global Profiler Settings 481

Endpoint Attribute Filtering 482

Profiles in Authorization Policies 482

Endpoint Identity Groups 483

EndPoint Policy 486

Verify Profiling 486

The Dashboard 486

Endpoints Drill-down 487

Global Search 488

Endpoint Identities 489

Device Sensor Show Commands 491

Exam Preparation Tasks 492

Review All Key Topics 492

Part V Advanced Secure Network Access

Chapter 16 Certificate-Based User Authentications 495

"Do I Know This Already?ö Quiz 495

Foundation Topics 499

Certificate Authentication Primer 499

Determine Whether a Trusted Authority Has Signed the Digital Certificate 499

Examine Both the Start and End Dates to Determine Whether the Certificate Has Expired 501

Verify Whether the Certificate Has Been Revoked 502

Validate That the Client Has Provided Proof of Possession 504

A Common Misconception About Active Directory 505


Configuring ISE for Certificate-Based Authentications 506

Validate Allowed Protocols 507

Certificate Authentication Profile 508

Verify That the Authentication Policy Is Using CAP 509

Authorization Policies 511

Ensuring the Client Certificates Are Trusted 512

Importing the Certificate Authority's Public Certificate 513

Configuring Certificate Status Verification (optional) 515

Verifying Certificate Authentications 516

Exam Preparation Tasks 520

Review All Key Topics 520

Define Key Terms 520

Chapter 17 Bring Your Own Device 523

"Do I Know This Already?ö Quiz 524

Foundation Topics 528

BYOD Challenges 528

Onboarding Process 529

BYOD Onboarding 529

Dual SSID 530

Single SSID 531

Configuring NADs for Onboarding 532

Configuring the WLC for Dual-SSID Onboarding 532

Reviewing the WLAN Configuration 532

Verifying the Required ACLs 535

ISE Configuration for Onboarding 538

The End User Experience 539

Single-SSID with Apple iOS Example 539

Dual SSID with Android Example 549

Unsupported Mobile Device-Blackberry Example 555

Configuring ISE for Onboarding 557

Creating the Native Supplicant Profile 557

Configuring the Client Provisioning Policy 559

Configuring the WebAuth 561

Verifying Default Unavailable Client Provisioning Policy Action 562

Creating the Authorization Profiles 563

Creating the Authorization Rules for Onboarding 565

Creating the Authorization Rules for the EAP-TLS Authentications 566

Configuring SCEP 567

BYOD Onboarding Process Detailed 570

iOS Onboarding Flow 570

Phase 1: Device Registration 570

Phase 2: Device Enrollment 571

Phase 3: Device Provisioning 572

Android Flow 573

Phase 1: Device Registration 573

Phase 2: Download SPW 575

Phase 3: Device Provisioning 576

Windows and Mac OSX Flow 577

Phase 1: Device Registration 578

Phase 2: Device Provisioning 579

Verifying BYOD Flows 581

Live Log 581

Reports 581

Identities 582

MDM Onboarding 583

Integration Points 583

Configuring MDM Integration 584

Configuring MDM Onboarding Rules 586

Creating the Authorization Profile 586

Creating the Authorization Rules 588

Managing Endpoints 590

Self Management 590

Administrative Management 593

The Opposite of BYOD: Identify Corporate Systems 593

Exam Preparation Tasks 595

Review All Key Topics 595

Define Key Terms 595

Chapter 18 TrustSec and MACSec 597

"Do I Know This Already?ö Quiz 597

Foundation Topics 601

Ingress Access Control Challenges 601

VLAN Assignment 601

Ingress Access Control Lists 603

What Is TrustSec? 605

What Is a Security Group Tag? 606

Defining the SGTs 607

Classification 609

Dynamically Assigning SGT via 802.1X 610

Manually Assigning SGT at the Port 611

Manually Binding IP Addresses to SGTs 611

Access Layer Devices That Do Not Support SGTs 612

Mapping a Subnet to an SGT 613

Mapping a VLAN to an SGT 613

Transport: Security Group Exchange Protocol 613

SXP Design 614

Configuring SXP on IOS Devices 615

Configuring SXP on Wireless LAN Controllers 617

Configuring SXP on Cisco ASA 619

Verifying SXP Connections in ASDM 620

Transport: Native Tagging 621

Configuring Native SGT Propagation (Tagging) 622

Configuring SGT Propagation on Cisco IOS Switches 623

Configuring SGT Propagation on a Catalyst 6500 625

Configuring SGT Propagation on a Nexus Series Switch 627

Enforcement 628


Security Group Firewalls 631

Security Group Firewall on the ASA 632

Security Group Firewall on the ISR and ASR 632

MACSec 632

Downlink MACSec 634

Switch Configuration Modes 636

ISE Configuration 637

Uplink MACSec 638

Manually Configuring Uplink MACSec 638

Verifying the Manual Configuration 640

Exam Preparation Tasks 642

Review All Key Topics 642

Define Key Terms 642

Chapter 19 Posture Assessment 645

"Do I Know This Already?ö Quiz 645

Foundation Topics 648

Posture Service Overview 648

Posture Flow 649

Agent Types 650

Posture Conditions 652

CoA with Posture 654

Configuring Posture 655

Downloading CPP Resources 656

Client Provisioning Policy 657

Posture Policy Building Blocks 658

Condition 659

Remediation 661

Requirement 662

Modifying the Authorization Policy for CPP 663

Modifying the Authorization Policy for Compliance 666

Verifying Posture and Redirect 667

Exam Preparation Tasks 675

Review All Key Topics 675

Define Key Terms 675

Part VI Safely Deploying in the Enterprise

Chapter 20 Deploying Safely 677

"Do I Know This Already?ö Quiz 677

Foundation Topics 680

Why Use a Phased Approach? 680

A Phased Approach 681

Comparing Authentication Open to Standard 802.1X 682

Preparing ISE for a Staged Deployment 683

Monitor Mode 685

Low-Impact Mode 689

Closed Mode 692

Transitioning from Monitor Mode to Your End State 695

Wireless Networks 695

Exam Preparation Tasks 696

Review All Key Topics 696

Chapter 21 ISE Scale and High Availability 699

"Do I Know This Already?ö Quiz 699

Foundation Topics 702

Configuring ISE Nodes in a Distributed Environment 702

Making the First Node a Primary Device 702

Registering an ISE Node to the Deployment 703

Ensuring the Personas of All Nodes Are Accurate 706

Licensing in a Multinode ISE Cube 706

Understanding the HA Options Available 707

Primary and Secondary Nodes 707

Monitoring and Troubleshooting Nodes 707

Policy Administration Nodes 709

Node Groups 710

Using Load Balancers 713

General Guidelines 713

Failure Scenarios 714

IOS Load Balancing 715

Maintaining ISE Deployments 716

Patching ISE 716

Backup and Restore 718

Exam Preparation Tasks 720

Review All Key Topics 720

Define Key Terms 720

Chapter 22 Troubleshooting Tools 723

"Do I Know This Already?ö Quiz 723

Foundation Topics 726

Logging 726

Live Log 726

Live Sessions Log 728

Logging and Remote Logging 729

Logging Targets 729

Logging Categories 730

Debug Logs 731

Downloading Debug Logs from the GUI 732

Viewing Log Files from the CLI 733

Support Bundles 734

Diagnostics Tools 735

Evaluate Configuration Validator 735

RADIUS Authentication Troubleshooting Tool 739

TCP Dump 741

Ensuring Live Log Displays All Events (Bypassing Suppression) 746

Disabling Suppression 747

Troubleshooting Outside of ISE 748

Endpoint Diagnostics 748

AnyConnect Diagnostics and Reporting Tool 748

AnyConnect NAM Extended Logging 751

Microsoft Native Supplicant 752

Supplicant Provisioning Logs 753

Network Device Troubleshooting 753

The Go-To: show authentication session interface 753

Viewing Client Details on the WLC 754

Debug Commands 755

Exam Preparation Tasks 756

Review All Key Topics 756

Part VII Final Preparation

Chapter 23 Final Preparation 759

Advice About the Exam Event 759

Learning the Question Types Using the Cisco Certification Exam Tutorial 759

Thinking About Your Time Budget Versus Number of Questions 760

A Suggested Time-Check Method 761

Miscellaneous Pre-Exam Suggestions 762

Exam-Day Advice 762

Exam Review 763

Taking Practice Exams 763

Practicing Taking the SISAS Exam 764

Advice on How to Answer Exam Questions 765

Taking Other Practice Exams 766

Finding Knowledge Gaps Through Question Review 767

Other Study Tasks 769

Final Thoughts 770

Part VIII Appendixes

Appendix A Answers to the "Do I Know This Already?ö Quizzes 773

Appendix B Configuring the Microsoft CA for BYOD 795

CA Requirements 795

Other Useful Information 795

Microsoft Hotfixes 796

AD Account Roles 796

Configuration Steps 796

Installing the CA 796

Adding the Remaining Roles 804

Configuring the Certificate Template 809

Publishing the Certificate Template 814

Editing the Registry 816

Useful Links 819

Appendix C Using the Dogtag CA for BYOD 821

What Is Dogtag, and Why Use It? 821

Prerequisites 821

Installing 32-bit Fedora 15 821

Configuring Networking 823

Installing Packages with yum 825

Configuring Proxy (if Needed) 825

Updating System Packages with yum 826

Installing and Configuring the NTP Service 826

Installing the LDAP Server 827

Installing the PHP Services 828

Installing and Configuring Dogtag 829

Modifying the Firewall Rules (iptables) 830

Creating a New CA Instance 830

Enabling and Configuring SCEP 840

Preparing Apache 841

Configuring ISE to Use the New Dogtag CA 842

Adding Dogtag to the SCEP RA Profiles 843

Appendix D Sample Switch Configurations 845

Catalyst 2960/3560/3750 Series, 12.2(55)SE 845

Catalyst 3560/3750 Series, 15.0(2)SE 848

Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG 852

Catalyst 6500 Series, 12.2(33)SXJ 856

Glossary 861

Index 868